Sharable links behind Cloudflare Zero Trust

Hello,

I am self hosting Nextcloud at my domain nas.mydomain.sk via cloudflare tunnel. Since I didn’t want it to be on the internet, I also put a Cloudflare Zero trust challenge on *.mydomain.sk, so that I have to authenticate over email and then I can login to Nextcloud.

So far so good, everything is working as expected. However, I would like to share some files to my friends. So on Cloudflare I created a bypass rule for nas.mydomain.sk/s/*

When I generate a shareable link and open it in a browser that is authenticated with Cloudflare, I can see the page exactly as it is supposed to be, however when I open the link in a private window, I see only HTML text with no ability to download the file:

Screenshot 2025-06-02 at 9.27.41 AM1402×864 33.5 KB

What am I missing? Thank you.

Private windows are very often blocking javascript code, therefore I assume that this happens in your case too.

It is the same behavior when I try it in my phone’s internet browser that doesn’t have the cloudflare authentication in a regular non private non incognito window.

You also need to create bypass rules for CSS and JS files.

Thank you, I found this reddit thread saying the same thing:

https://www.reddit.com/r/selfhosted/comments/127lscc/cloudflare_zero_trust_bypass_problem/

But I don’t know which CSS and JS files. What other paths should I include in the bypass rule other than /s/* ?

All resources that your browser sends a request to. The easiest way is to look in your browser’s developer tools, where all requests are listed.

A better idea is to add to a share s/abcdefghijklmno the part /download e.g
s/abcdefghijklmno/download. Than the user can download the file directly without JS and CSS. But in the sharing seetings you can then not activate hide download. But that would be wrong at this point anyway.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.